BUG/MEDIUM: acl: do not evaluate next terms after a miss

When a condition does something like :

   action if A B C || D E F

If B returns a miss (can't tell true or false), C must not
be evaluated. This is important when C has a side effect
(eg: sc*_inc_gpc0). However the second part after the ||
can still be evaluated.

diff --git a/src/acl.c b/src/acl.c
index e6cbd306aebfdbcba89db105df1addac85708b74..4d7216f1781a17b939d741a5fa5eb421cb977f27 100644 (file)
--- a/src/acl.c
+++ b/src/acl.c
@@ -1779,8 +1779,8 @@ int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, v
 
                        suite_res &= acl_res;
 
-                       /* we're ANDing these terms, so a single FAIL is enough */
-                       if (suite_res == ACL_PAT_FAIL)
+                       /* we're ANDing these terms, so a single FAIL or MISS is enough */
+                       if (suite_res != ACL_PAT_PASS)
                                break;
                }
                cond_res |= suite_res;